WO2015196659A1 - 一种桌面云客户端和服务端之间连接认证的方法及装置 - Google Patents

一种桌面云客户端和服务端之间连接认证的方法及装置 Download PDF

Info

Publication number
WO2015196659A1
WO2015196659A1 PCT/CN2014/089095 CN2014089095W WO2015196659A1 WO 2015196659 A1 WO2015196659 A1 WO 2015196659A1 CN 2014089095 W CN2014089095 W CN 2014089095W WO 2015196659 A1 WO2015196659 A1 WO 2015196659A1
Authority
WO
WIPO (PCT)
Prior art keywords
desktop cloud
virtual machine
authentication information
management system
encrypted authentication
Prior art date
Application number
PCT/CN2014/089095
Other languages
English (en)
French (fr)
Inventor
周佳
陈彬
刘大宇
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015196659A1 publication Critical patent/WO2015196659A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of desktop cloud technologies in a cloud computing environment, and in particular, to a method and related device for secure connection authentication between a desktop cloud client and a server in the desktop cloud domain.
  • a desktop cloud is a device that can access cross-platform applications through a thin client or any other device connected to the network.
  • the user's desktop environment is centrally deployed in the enterprise's data center.
  • the local terminal is only a relatively low-profile integrated circuit body. It has a common interface for connecting display and input devices. Its processing power is very low, mainly relying on Connect to a remote server to share resources in the virtualized processor resource pool.
  • the desktop desktop provided by the desktop cloud supports access by various terminal devices, and the way of network access provides enterprise users with very flexible work processing capabilities. As long as there is a network, employees can enter the enterprise office environment through the network. Processing work.
  • trusted cloud computing Since the user's data is all deployed on the remote server, trusted cloud computing becomes an important issue for users, including trusted access security, trusted network security, and trusted security management. Trusted access security, that is, connection authentication between the client and the server of the desktop cloud, becomes the primary security guarantee for the desktop cloud. In other words, since the data of users who use the desktop cloud are all in the cloud server, it is especially important to protect user privacy. Desktop cloud security is a key issue to be solved, and the connection authentication between the desktop cloud client and the server is secure. The first priority.
  • the secure connection authentication method of the desktop cloud generally inputs an account on the terminal login interface, and performs a desktop cloud connection authentication and authorization operation by using a password or inserting a USB KEY or collecting a fingerprint feature.
  • the virtual machine can be selected from the user's virtual machine (VM) list to log in.
  • connection authentication method some user information (account, password, USB KEY, fingerprint feature, etc.) used for connection authentication is stored directly in the local data center; and it is directly sent to the server for authentication through plain text.
  • a processing method is easily stolen by malware, causing information such as account passwords to be leaked, and user information security cannot be guaranteed.
  • desktop clouds need to be re-entered when entering the virtual desktop system.
  • Login information; authentication is also required when using certain application services of the desktop cloud.
  • Each application system in the desktop cloud has its own independent authentication method. Such repeated authentication not only brings a lot of inconvenience to the user, but also easily leads to password leakage.
  • connection authentication methods There are also some complicated connection authentication methods.
  • an authentication server is set up in the system, which is responsible for the identity authentication of the desktop cloud user when logging in. This approach does improve the security of the desktop cloud, but it also increases the operating costs and maintenance workload of the desktop cloud system.
  • the embodiment of the invention provides a method and a device for connecting authentication between a desktop cloud client and a server, which can better solve the security problem of connection authentication between the desktop cloud client and the server.
  • a method for connection authentication between a desktop cloud client and a server is provided, which is applied to the desktop, and includes:
  • the desktop cloud client obtains a list of virtual machines by logging in to the desktop cloud management system.
  • the selected virtual machine is logged in with the encrypted encrypted authentication information and the connection parameters.
  • the step of obtaining the virtual machine list by logging in to the desktop cloud management system by the desktop cloud client includes:
  • the desktop cloud client sends the user information including the user name and the authentication information of the desktop cloud client to the desktop cloud management system.
  • the virtual machine list is obtained by the desktop cloud management system by using the user name sent by the desktop cloud client to query a corresponding virtual machine list.
  • selecting a virtual machine to be logged in the virtual machine list, and passing The step of the desktop cloud management system acquiring the connection parameters and the encrypted authentication information of the virtual machine includes:
  • the desktop cloud client obtains the virtual machine to be logged in by the user in the virtual machine list, and sends a login request that includes the virtual machine information to the desktop cloud management system.
  • the virtual machine connection parameter is generated by the desktop cloud management system by parsing the login request sent by the desktop cloud client, and obtaining the virtual machine information therein;
  • the encrypted authentication information is obtained by the desktop cloud management system encrypting the authentication information by using an encryption key allocated when the virtual machine is created.
  • the step of the desktop cloud client initiating a connection request for verifying the encrypted authentication information to the desktop cloud server includes:
  • the desktop cloud client sends a connection request carrying the encrypted authentication information to the desktop cloud server.
  • the verification result is obtained by the desktop cloud server in the following manner:
  • the desktop cloud server decrypts the encrypted authentication information sent by the desktop cloud client by using a decryption key allocated when the virtual machine is created, to obtain authentication information;
  • the step of logging in the selected virtual machine by using the encrypted authentication information and the connection parameter includes:
  • the virtual machine automatic login information bound to the virtual machine is obtained, and the selected virtual machine is automatically logged in by using the virtual machine automatic login information and the connection parameter.
  • the method further includes:
  • the desktop cloud application service When the desktop cloud application service is accessed by using the logged-in virtual machine, the user permission of the desktop cloud application service accessed by the user is obtained by using the desktop cloud management system;
  • the desktop cloud application service is directly used according to the acquired user rights.
  • a method for connection authentication between a desktop cloud client and a server is provided, which is applied to a desktop cloud server, including:
  • the encrypted authentication information is obtained by the desktop cloud client in the following manner:
  • the desktop cloud client obtains a virtual machine list by logging in to the desktop cloud management system
  • the step of verifying the encrypted authentication information, after the verification is passed, sending the verification pass information to the desktop cloud client includes:
  • the desktop cloud server decrypts the encrypted authentication information sent by the desktop cloud client by using a decryption key that is allocated when the virtual machine is created, to obtain authentication information;
  • the decrypted authentication information is compared with the pre-stored authentication information corresponding to the user name; if the matching is performed, the authentication pass information is sent to the desktop cloud client after the verification of the encrypted authentication information is confirmed.
  • the encrypted authentication information is that the desktop cloud client sends user information including its user name and authentication information to the desktop cloud management system, and the desktop cloud management system utilizes the virtual machine to create the virtual
  • the encryption key assigned by the machine is encrypted by the authentication information.
  • an apparatus for connection authentication between a desktop cloud client and a server including:
  • the virtual machine list obtaining module is configured to obtain a virtual machine list by logging in to the desktop cloud management system
  • a parameter obtaining module configured to select a virtual machine to be logged in the virtual machine list, and obtain connection parameters and encrypted authentication information of the virtual machine by using a desktop cloud management system
  • connection requesting module configured to initiate a connection request for verifying the encrypted authentication information to the desktop cloud server
  • the virtual machine login module is configured to log in the selected virtual machine by using the encrypted encrypted authentication information and the connection parameter after passing the verification.
  • the virtual machine list obtaining module sends the user information including the user name and the authentication information to the desktop cloud management system, and receives the corresponding virtual machine list that is queried by the desktop cloud management system by using the user name.
  • the parameter obtaining module acquires a virtual machine to be logged in by the user in the virtual machine list, sends a login request that includes the virtual machine information to the desktop cloud management system, and receives the desktop cloud management.
  • connection requesting module sends a connection request carrying the encrypted authentication information to the desktop cloud server, and receives a verification result generated by the desktop cloud server in response to the connection request, where Decrypting key allocated by the virtual machine, decrypting the encrypted authentication information, obtaining authentication information, and comparing the decrypted authentication information with the pre-stored authentication information corresponding to the user name, and when matching, A verification result that passes the verification of the encrypted authentication information is generated.
  • the virtual machine login module obtains the virtual machine automatic login information bound thereto by using the authorized encrypted authentication information, and automatically logs in using the virtual machine automatic login information and the connection parameter.
  • the selected virtual machine is obtained by using the authorized encrypted authentication information, and automatically logs in using the virtual machine automatic login information and the connection parameter. The selected virtual machine.
  • it also includes:
  • the service access module is configured to obtain the user rights of the desktop cloud application service accessed by the user, and obtain the user rights of the desktop cloud application service accessed by the user, by using the accessed virtual machine to access the desktop cloud application service, and according to the acquired user rights, Directly use the desktop cloud application service.
  • the invention also provides a computer program and a carrier thereof, the computer program comprising program instructions, when the program instruction is executed by a desktop cloud client, enabling the desktop cloud client to implement a connection between the desktop cloud client and the server Authentication method.
  • the invention also provides a computer program and a carrier thereof, the computer program comprising program instructions, when the program instruction is executed by a desktop cloud server, enabling the desktop cloud server to implement the connection authentication method between the desktop cloud client and the server .
  • the embodiment of the invention can improve the security of the desktop cloud system access and reduce the risk of user information leakage at a lower cost
  • the embodiment of the present invention can automatically log in to the virtual machine to avoid cumbersome procedures for the user to manually log in.
  • the embodiment of the present invention can implement application-free access to some desktop cloud application services in a secure manner.
  • FIG. 1 is a schematic block diagram of a method for connection authentication between a desktop cloud client and a server according to an embodiment of the present invention
  • FIG. 2 is a block diagram of a device for connection authentication between a desktop cloud client and a server according to an embodiment of the present invention
  • FIG. 3 is a process diagram of a connection authentication process between a desktop cloud client and a server provided by an embodiment of the present invention
  • FIG. 4 is a process diagram of a user-free authentication process using a desktop cloud application service according to an embodiment of the present invention.
  • FIG. 1 is a schematic block diagram of a method for connection authentication between a desktop cloud client and a server according to an embodiment of the present invention. As shown in FIG. 1 , the steps include:
  • Step S101 The desktop cloud client obtains a virtual machine list by logging in to the desktop cloud management system.
  • the desktop cloud client sends the user information including the user name and the authentication information to the desktop cloud management system by using a webpage or the like, and the desktop cloud management system queries the corresponding virtual machine list by using the username, and the virtual The machine list is sent to the desktop cloud client.
  • Step S102 Select a virtual machine to be logged in the virtual machine list, and obtain connection parameters and encrypted authentication information of the virtual machine by using the desktop cloud management system.
  • the desktop cloud client obtains the virtual machine to be logged in by the user in the virtual machine list, and sends a login request that includes the virtual machine information to the desktop cloud management system, and the desktop cloud management system parses the Logging in the request, obtaining virtual machine information therein, generating connection parameters of the virtual machine, and encrypting the authentication information by using an encryption key allocated when the virtual machine is created, obtaining encrypted authentication information, and The connection parameters and the encrypted authentication information are sent to the desktop cloud client.
  • Step S103 The desktop cloud client initiates a connection request for verifying the encrypted authentication information to the desktop cloud server.
  • the desktop cloud client sends a connection request carrying the encrypted authentication information to the desktop cloud server, where the desktop cloud server performs the encrypted authentication information by using a decryption key allocated when the virtual machine is created. Decrypting, obtaining authentication information, and comparing the decrypted authentication information with the pre-stored authentication information corresponding to the user name. If the matching, the verification of the encrypted authentication information is passed, and the verification result is sent to the desktop. Cloud client.
  • Step S104 After passing the verification, log in the selected virtual machine by using the encrypted encrypted authentication information and the connection parameter.
  • the virtualized automatic login information bound to the virtualized machine is obtained by using the authorized encrypted authentication information, and the selected virtual machine is automatically logged in by using the virtual machine automatic login information and the connection parameter. That is to say, when the user logs in to the virtual machine, as long as the desktop cloud server verifies the encrypted authentication information, the user can directly log in to the selected virtual machine without manually logging in.
  • the desktop cloud application service After the virtual machine is accessed, if the desktop cloud application service needs to be accessed, the user permission of the desktop cloud application service accessed by the user is obtained through the desktop cloud management system, and the desktop is directly used according to the acquired user authority. Cloud application business. In other words, users with the appropriate permissions, You can use the service provided by the desktop cloud application service without authentication. If the desktop cloud server fails to pass the authentication of the encrypted authentication information when the user logs in to the virtual machine, the user needs to log in manually.
  • the invention realizes the automatic login of the virtual machine operating system while ensuring the security of the connection, and binds the connection authentication information with the desktop cloud application service, thereby Implement application-free authentication
  • the method includes: a virtual machine list obtaining module 201, a parameter obtaining module 202, a connection requesting module 203, and a virtual device.
  • the machine login module 204 and the service access module 205 are included in the method.
  • the virtual machine list obtaining module 201 obtains the virtual machine list by logging in to the desktop cloud management system. Specifically, the virtual machine list obtaining module 201 sends the user information including the user name and the authentication information to the desktop cloud management system. The desktop cloud management system uses the corresponding virtual machine list queried by the user name and sends it to the desktop cloud client. The parameter obtaining module 202 acquires a virtual machine to be logged in by the user in the virtual machine list, and sends a login request including the virtual machine information to the desktop cloud management system, where the desktop cloud management system generates the virtual machine.
  • connection parameter is used, and the authentication information is encrypted by using the encryption key allocated when the virtual machine is created, and the encrypted authentication information is obtained to improve the security of the connection authentication, and finally the connection parameter and the encrypted authentication information are sent to the desktop cloud.
  • the connection requesting module 203 initiates a connection request for verifying the encrypted authentication information to the desktop cloud server. Specifically, the connection requesting module 203 sends a connection request carrying the encrypted authentication information to the desktop cloud server.
  • the desktop cloud server decrypts the encrypted authentication information by using a decryption key allocated when the virtual machine is created, obtains authentication information, and associates the decrypted authentication information with the pre-stored user name.
  • the authentication information is compared, and when the matching is performed, a verification result that passes the verification of the encrypted authentication information is generated.
  • the virtual machine login module 204 logs in the selected virtual machine by using the encrypted encrypted authentication information and the connection parameter. Specifically, the virtual machine login module 204 utilizes the authorized already used Encrypt the authentication information, obtain the virtual machine automatic login information bound to the virtual machine, and automatically log in the selected virtual machine by using the virtual machine automatic login information and the connection parameter to avoid manual login.
  • the service access module 205 obtains the desktop cloud application service accessed by the user by using the desktop cloud management system. User rights, and directly use the desktop cloud application service according to the acquired user rights, to achieve identity-free authentication.
  • the user logs in to the desktop cloud through a webpage or client, and the user information is submitted to the desktop cloud management system.
  • the user information includes a user name and authentication information, and the authentication information may be a password, a USB KEY, a dynamic password, or a biometric feature including: a fingerprint feature, a facial feature, an iris feature, or the like, or other feature information that can identify the identity of the user.
  • the desktop cloud management system generates a connection parameter according to the virtual machine selected by the user, and encrypts the authentication information (for example, the connection authentication password);
  • the desktop cloud client initiates a connection request to the remote desktop cloud server by using the encrypted connection parameter
  • the remote desktop cloud server verifies the connection authentication password in the connection request, and if the verification succeeds, the authorization agrees to the connection access, and if the verification is unsuccessful, the connection is rejected;
  • the agent in the virtual machine can automatically log in to the virtual machine operating system by using the authenticated connection authentication information
  • connection authentication information needs to be bound to the virtual machine system automatic login information and the user rights of the desktop cloud application service.
  • the binding between the connection authentication information and the automatic login information of the virtual machine system is completed when the virtual machine is created.
  • the binding of the user authentication permission between the connection authentication information and the desktop cloud application service may be completed when the virtual machine is created, or After the virtual machine is created, the user applies to the desktop cloud management system.
  • the automatic login function of related functions can be implemented only after the binding operation is successful. If there is no binding, the user can only manually input the authentication information.
  • FIG. 3 is a process diagram of a connection authentication process between a desktop cloud client and a server provided by an embodiment of the present invention, where a user logs in from a webpage or a client; obtains a virtual machine list, selects a virtual machine login; and generates a connection parameter by the desktop cloud management system, and The parameter is encrypted; the parameter is sent to the client, and the client initiates a connection request; the desktop cloud server verifies the connection authentication information after receiving the connection request; After the information is verified, the virtual machine operating system and the authentication-free use of the desktop cloud application service can be realized.
  • connection authentication method can effectively ensure the security of the connection, realize the automatic login of the virtual machine operating system, and bind the connection authentication information to the desktop cloud application service, thereby realizing the application-free authentication and improving the desktop cloud environment. Security and convenience of access. As shown in Figure 3, the following steps are included:
  • Step S11 The user inputs a user name and authentication information through a webpage or a client login interface, and the authentication information may be a password, or an identity information obtained from a USB KEY or a fingerprint collection device, or a USB KEY, a dynamic password, or a biometric feature. Including: fingerprint feature, facial feature, iris feature, etc., or other feature information that can identify the user's identity; the authentication information can be stored in a dedicated authentication server, or directly stored on the remote server, and the client's connection request is sent to the authentication. The authentication operation is performed where the information is located.
  • Step S12 The user name and the authentication information are submitted to the desktop cloud management system in step S11, and the desktop cloud management system queries the virtual machine list of the user according to the user name.
  • the virtual machine list is a series of virtual machines belonging to this user created before login.
  • Step S13 The user selects the virtual machine to log in, and submits the login request to the desktop cloud management system.
  • Step S14 The desktop cloud management system generates a connection parameter according to the selected virtual machine, and encrypts the connection authentication password and sends the connection authentication password to the client.
  • the client sends a connection request to the remote desktop cloud server through the network.
  • the desktop cloud management system provides a simple login interface for the user. After the user selects the virtual machine to be logged in, the desktop cloud management system generates corresponding connection parameters, including the IP address and port number, according to the user and the selected virtual machine. The user name and related virtual machine configuration information are generated, and an encrypted connection authentication password is generated.
  • the algorithm of the password can select an encryption algorithm with different security levels and complexity according to the security level.
  • Step S15 The desktop cloud server verifies the password field in the connection request of the client, and if the verification succeeds, the authorization agrees to access, and if the verification fails, the password is rejected.
  • the password needs to be decrypted by the decryption algorithm corresponding to the encryption algorithm described in step S14. If the connection authentication information uses the fingerprint feature, the user needs to query the corresponding fingerprint feature according to the user name to obtain a correct fingerprint feature corresponding to the user, and the connection authentication information of the password field is correct. Fingerprint features are compared.
  • the connection authentication information is in other manners, and the processing manner is similar to the fingerprint method. I will not go into details here.
  • Step S16 When the connection enters the virtual machine system login interface, the agent in the virtual machine uses the virtual machine system automatic login information in the connection parameter to implement automatic login, and the user information is recorded into the virtual machine system.
  • the connection authentication information needs to be bound to the virtual machine system automatic login information.
  • the binding between the connection authentication information and the automatic login information of the virtual machine system is completed when the virtual machine is created. Only after the binding operation is successful can the automatic login function of the virtual machine system be implemented. If there is no binding, only The authentication information can be manually entered by the user.
  • the virtual machine system can be windows, windows server, linux or other desktop operating system.
  • FIG. 4 is a process diagram of a user-free authentication process using a desktop cloud application service according to an embodiment of the present invention. As shown in FIG. 4, the method includes the following steps:
  • Step S21 After logging in to the virtual machine desktop system, the user accesses the application service through the desktop cloud.
  • Step S22 The application queries the desktop cloud management system for the usage right of the user.
  • Step S23 The desktop cloud management system returns the usage right of the corresponding user. If the user has the usage right of the application service described in step S21, the application service related service may be logged in without inputting the authentication information; If the user does not have the usage right of the application service described in step S21, the user needs to manually input the identity verification information of the application service, and the related service can be used after the verification is passed.
  • connection authentication information and the desktop cloud application service Prior to this, the user rights of the connection authentication information and the desktop cloud application service need to be bound.
  • the user rights binding operation of the connection authentication information and the desktop cloud application service may be completed when the virtual machine is created, or may be applied by the user to the desktop cloud management system after the virtual machine is created.
  • the authentication-free function of the related application service can be implemented only after the binding operation is successful. If the binding is not performed, the user can only manually input the authentication information. .
  • the authentication information (such as the authentication password) used by the desktop cloud client to connect to the remote server is encrypted and transmitted, thereby improving the security of the connection authentication, and the encryption key used is created by the virtual The machine is allocated and stored in the remote server.
  • the user identity information after the authentication is connected to the remote server is recorded after logging in to the operating system.
  • the identity information is associated with the desktop cloud application service that needs to verify the identity information, and has an administrative user identity in the desktop cloud management system.
  • the database of information has corresponding permissions for each user.
  • the desktop cloud first queries the management system whether the login user has the right to use the application service. It can realize automatic login application business.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve. Thus, the invention is not limited to any specific combination of hardware and software.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • Method and device for connecting authentication between desktop cloud client and server disclosed in embodiment of the present invention It can increase the security of desktop cloud system access at a lower cost, reduce the risk of user information leakage, and provide a secure way to implement authentication-free access to some desktop cloud application services.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Stored Programmes (AREA)
  • Computer And Data Communications (AREA)

Abstract

一种桌面云客户端和服务端之间连接认证的方法及装置,涉及桌面云技术领域,所述方法包括:桌面云客户端通过登录桌面云管理系统,获取虚拟机列表(S101);在所述虚拟机列表中选取待登录的虚拟机,并通过桌面云管理系统获取所述虚拟机的连接参数和已加密认证信息(S102);桌面云客户端向桌面云服务器发起用来验证所述已加密认证信息的连接请求(S103);在通过验证后,利用已授权的已加密认证信息和所述连接参数,登录所选取的虚拟机(S104)。本方法能够以较低的成本提高桌面云系统接入的安全性,降低用户信息泄漏的风险,并提供一种安全的方式实现免身份验证访问一些桌面云的应用业务。

Description

一种桌面云客户端和服务端之间连接认证的方法及装置 技术领域
本发明涉及云计算环境下的桌面云技术领域,特别涉及桌面云领域的桌面云客户端与服务端之间的安全连接认证的方法及其相关的装置。
背景技术
桌面云,是指可以通过瘦客户端或者其他任何与网络相连的设备来访问跨平台的应用程序。用户的桌面环境都是集中部署在企业的数据中心,本地终端只是一个配置相对较低的集成电路机身,具备连接显示、输入设备的常用接口,其本身的处理能力是很低的,主要依靠连接到远程服务器,共享虚拟化处理器资源池中的资源。桌面云提供的托管桌面支持使用各种终端设备接入,而网络访问的方式为企业用户提供了非常灵活的工作处理能力,只要有网络的地方,员工都可以通过网络进入到企业的办公环境来处理工作。
既然用户的数据全部部署在远端服务器上,那么可信的云计算就成为用户关心的重要问题,包括可信接入安全、可信网络安全和可信安全管理。其中可信接入安全,即桌面云的客户端与服务端之间的连接认证,成为桌面云首要安全保证。也就是说,由于使用桌面云的用户的资料都在云端服务器,保护用户隐私尤为重要,桌面云安全是需要解决的关键问题,而桌面云客户端和服务端之间的连接认证则肩负起安全的第一道重任。
目前桌面云的安全连接认证方法一般是在终端登录界面上输入账户,通过密码或插入USB KEY或采集指纹特征进行桌面云连接认证授权操作。当连接认证成功之后,便可以从用户的虚拟机(VM)列表中选择虚拟机进行登录。
在现有连接认证方法中,用于连接认证的用户信息(账户、密码、USB KEY、指纹特征等)有一些是直接存储在本地数据中心;也有直接通过明文发送到服务端进行鉴权的。这样的处理方式很容易被恶意软件窃取,造成账户密码等信息泄漏,用户信息安全性不能得到保障。
为了保证安全,一些桌面云在进入虚拟桌面系统的时候还需要再次输入 登录信息;在使用桌面云的某些应用业务的时候也需要进行鉴权。桌面云中的各应用系统拥有各自独立的身份认证方式,如此重复的鉴权不仅给用户带来诸多不便,并且容易导致密码泄漏。
还有一些复杂一点的连接认证方式,在部署桌面云的时候,在系统中设置了一台认证服务器,专门负责桌面云用户登录时的身份认证工作。该方法确实提高了桌面云的安全性,但是同时也提高了桌面云系统的运营成本和维护工作量。
发明内容
本发明实施例提供一种桌面云客户端和服务端之间连接认证的方法及装置,能更好地解决桌面云客户端与服务端之间连接认证的安全性问题。
根据本发明的一个方面,提供了一种桌面云客户端和服务端之间连接认证的方法,应用于桌面端,包括:
桌面云客户端通过登录桌面云管理系统,获取虚拟机列表;
在所述虚拟机列表中选取一个待登录的虚拟机,并通过桌面云管理系统获取所述虚拟机的连接参数和已加密认证信息;
向桌面云服务器发起用来验证所述已加密认证信息的连接请求;
在通过验证后,利用已授权的已加密认证信息和所述连接参数,登录所选取的虚拟机。
可选地,所述的桌面云客户端通过登录桌面云管理系统,获取虚拟机列表的步骤包括:
桌面云客户端将包含所述桌面云客户端的用户名和认证信息的用户信息发送至桌面云管理系统;
接收所述桌面云管理系统发送的虚拟机列表;
其中,所述虚拟机列表是所述桌面云管理系统利用所述所述桌面云客户端发送的用户名,查询相应的虚拟机列表得到的。
可选地,所述的在所述虚拟机列表中选取一个待登录的虚拟机,并通过 桌面云管理系统获取所述虚拟机的连接参数和已加密认证信息的步骤包括:
桌面云客户端获取用户在所述虚拟机列表中选取的待登录的虚拟机,并将包含所述虚拟机信息的登录请求发送至桌面云管理系统;
接收所说桌面云管理系统发送的虚拟机连接参数和已加密认证信息;
其中,所述虚拟机连接参数是由所述桌面云管理系统通过解析所述桌面云客户端发送的所述登录请求,得到其中的虚拟机信息后生成的;
所述已加密认证信息是所述桌面云管理系统利用在创建所述虚拟机时分配的加密密钥,对认证信息进行加密后得到的。
可选地,所述的桌面云客户端向桌面云服务器发起用来验证所述已加密认证信息的连接请求的步骤包括:
桌面云客户端将携带有所述已加密认证信息的连接请求发送至桌面云服务器;
接收所述桌面云服务器发送的验证结果;
其中,所述验证结果是所述桌面云服务器通过以下方式得到的:
桌面云服务器利用在创建所述虚拟机时分配的解密密钥,对所述桌面云客户端发送的所述已加密认证信息进行解密,得到认证信息;
将解密得到的认证信息与预存的所述用户名对应的认证信息进行比对;
若匹配,则对确认所述已加密认证信息的验证通过,得到所述验证结果。
可选地,所述的利用已加密认证信息和所述连接参数,登录所选取的虚拟机的步骤包括:
利用所述已加密认证信息,获取与其绑定的虚拟机自动登陆信息,并利用所述虚拟机自动登陆信息和所述连接参数,自动登录所选取的虚拟机。
可选地,在所述的登录所选取的虚拟机的步骤之后,还包括:
当利用所登陆的虚拟机,访问桌面云应用业务时,通过所述桌面云管理系统,获取所述用户访问的桌面云应用业务的用户权限;
根据所获取的用户权限,直接使用所述桌面云应用业务。
根据本发明的一个方面,提供了一种桌面云客户端和服务端之间连接认证的方法,应用于桌面云服务器,包括:
接收桌面云客户端发起的用来验证已加密认证信息的连接请求,对所述已加密认证信息进行验证,验证通过后,向所述桌面云客户端发送验证通过信息;其中,
所述已加密认证信息是所述桌面云客户端通过以下方式得到的:
所述桌面云客户端通过登录桌面云管理系统,获取虚拟机列表;
在所述虚拟机列表中选取一个待登录的虚拟机,并通过所述桌面云管理系统获取所述虚拟机的连接参数,得到加密的认证信息。
可选地,其中对所述已加密认证信息进行验证,验证通过后,向所述桌面云客户端发送验证通过信息的步骤包括:
所述桌面云服务器利用在创建所述虚拟机时分配的解密密钥,对所述桌面云客户端发送的所述已加密认证信息进行解密,得到认证信息;
将解密得到的认证信息与预存的所述用户名对应的认证信息进行比对;若匹配,则对确认所述已加密认证信息的验证通过,向所述桌面云客户端发送验证通过信息。
可选地,其中所述加密的认证信息是所述桌面云客户端将包含其用户名和认证信息的用户信息发送至所述桌面云管理系统,由所述桌面云管理系统利用在创建所述虚拟机时分配的加密密钥加密认证信息得到的。
根据本发明的另一方面,提供了一种桌面云客户端和服务端之间连接认证的装置,包括:
虚拟机列表获取模块,设置为通过登录桌面云管理系统,获取虚拟机列表;
参数获取模块,设置为在所述虚拟机列表中选取待登录的虚拟机,并通过桌面云管理系统获取所述虚拟机的连接参数和已加密认证信息;
连接请求模块,设置为向桌面云服务器发起用来验证所述已加密认证信息的连接请求;
虚拟机登陆模块,设置为在通过验证后,利用已授权的已加密认证信息和所述连接参数,登录所选取的虚拟机。
可选地,所述虚拟机列表获取模块将包含其用户名和认证信息的用户信息发送至桌面云管理系统,并接收所述桌面云管理系统利用所述用户名查询到的相应的虚拟机列表。
可选地,所述参数获取模块获取用户在所述虚拟机列表中选取的待登录的虚拟机,将包含所述虚拟机信息的登录请求发送至桌面云管理系统,并接收所述桌面云管理系统生成的所述虚拟机的连接参数和已加密认证信息,其中,所述已加密认证信息是利用在创建所述虚拟机时分配的加密密钥加密认证信息而得到的。
可选地,所述连接请求模块将携带有所述已加密认证信息的连接请求发送至桌面云服务器,并接收桌面云服务器响应所述连接请求而生成的验证结果,其中,利用在创建所述虚拟机时分配的解密密钥,对所述已加密认证信息进行解密,得到认证信息,并将解密得到的认证信息与预存的所述用户名对应的认证信息进行比对,并在匹配时,生成对所述已加密认证信息验证通过的验证结果。
可选地,所述虚拟机登陆模块利用所述已授权的已加密认证信息,获取与其绑定的虚拟机自动登陆信息,并利用所述虚拟机自动登陆信息和所述连接参数,自动登录所选取的虚拟机。
可选地,还包括:
业务访问模块,设置为当利用所登陆的虚拟机访问桌面云应用业务时,通过所述桌面云管理系统,获取所述用户访问的桌面云应用业务的用户权限,并根据所获取的用户权限,直接使用所述桌面云应用业务。
本发明还提供一种计算机程序及其载体,该计算机程序包括程序指令,当该程序指令被桌面云客户端执行时,使得该桌面云客户端可实施上述桌面云客户端和服务端之间连接认证方法。
本发明还提供一种计算机程序及其载体,该计算机程序包括程序指令,当该程序指令被桌面云服务器执行时,使得该桌面云服务器可实施上述桌面云客户端和服务端之间连接认证方法。
与现有技术相比较,本发明实施例的有益效果在于:
1、本发明实施例能够以较低的成本提高桌面云系统接入的安全性,降低用户信息泄漏的风险;
2、本发明实施例能够自动登陆虚拟机,避免用户手动登录的繁琐程序。
3、本发明实施例能够以一种安全的方式实现免身份验证访问一些桌面云的应用业务。
附图概述
图1是本发明实施例提供的桌面云客户端和服务端之间连接认证的方法原理框图;
图2是本发明实施例提供的桌面云客户端和服务端之间连接认证的装置框图;
图3是本发明实施例提供的桌面云客户端与服务端连接认证过程图;
图4是本发明实施例提供的用户使用桌面云应用业务免身份验证过程图。
本发明的较佳实施方式
以下结合附图对本发明的优选实施例进行详细说明,应当理解,以下所说明的优选实施例仅用于说明和解释本发明,并不用于限定本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。
图1是本发明实施例提供的桌面云客户端和服务端之间连接认证的方法原理框图,如图1所示,步骤包括:
步骤S101:桌面云客户端通过登录桌面云管理系统,获取虚拟机列表。
具体地,桌面云客户端通过网页等方式将包含其用户名和认证信息的用户信息发送至桌面云管理系统,桌面云管理系统利用所述用户名,查询相应的虚拟机列表,并将所述虚拟机列表发送至桌面云客户端。
步骤S102:在所述虚拟机列表中选取待登录的虚拟机,并通过桌面云管理系统获取所述虚拟机的连接参数和已加密认证信息。
具体地,桌面云客户端获取用户在所述虚拟机列表中选取的待登录的虚拟机,并将包含所述虚拟机信息的登录请求发送至桌面云管理系统,桌面云管理系统通过解析所述登录请求,得到其中的虚拟机信息,生成所述虚拟机的连接参数,并利用在创建所述虚拟机时分配的加密密钥,对认证信息进行加密,得到已加密认证信息,并将所述连接参数和所述已加密认证信息发送至桌面云客户端。
步骤S103:桌面云客户端向桌面云服务器发起用来验证所述已加密认证信息的连接请求。
具体地,桌面云客户端将携带有所述已加密认证信息的连接请求发送至桌面云服务器,桌面云服务器利用在创建所述虚拟机时分配的解密密钥,对所述已加密认证信息进行解密,得到认证信息,并将解密得到的认证信息与预存的所述用户名对应的认证信息进行比对,若匹配,则对所述已加密认证信息的验证通过,并将验证结果发送至桌面云客户端。
步骤S104:在通过验证后,利用已授权的已加密认证信息和所述连接参数,登录所选取的虚拟机。
具体地,利用所述已授权的已加密认证信息,获取与其绑定的虚拟机自动登陆信息,并利用所述虚拟机自动登陆信息和所述连接参数,自动登录所选取的虚拟机。也就是说,用户在登录虚拟机时,只要桌面云服务器对所述已加密认证信息的验证通过,则可以直接登录所选取的虚拟机,而不需要用户就手动登录。
在登陆虚拟机后,如果需要访问桌面云应用业务,则通过所述桌面云管理系统,获取所述用户访问的桌面云应用业务的用户权限,并根据所获取的用户权限,直接使用所述桌面云应用业务。也就是说,具有相应权限的用户, 可以免身份验证,直接使用所述桌面云应用业务所提供的服务,如果用户在登录虚拟机时,桌面云服务器对所述已加密认证信息的验证未通过,则需要用户手动登录。
相比传统的桌面云客户端和服务端的连接认证方法,本发明在保证连接安全性的同时,实现了虚拟机操作系统自动登录,并且将连接认证信息与桌面云应用业务绑定起来,从而可以实现应用业务免身份验证
图2是本发明实施例提供的桌面云客户端和服务端之间连接认证的装置框图,如图2所示,包括:虚拟机列表获取模块201、参数获取模块202、连接请求模块203、虚拟机登陆模块204和业务访问模块205。
所述虚拟机列表获取模块201通过登录桌面云管理系统,获取虚拟机列表,具体地,所述虚拟机列表获取模块201将包含其用户名和认证信息的用户信息发送至桌面云管理系统,所述桌面云管理系统利用所述用户名查询到的相应的虚拟机列表,并发送至桌面云客户端。所述参数获取模块202获取用户在所述虚拟机列表中选取的待登录的虚拟机,将包含所述虚拟机信息的登录请求发送至桌面云管理系统,桌面云管理系统生成所述虚拟机的连接参数,并利用在创建所述虚拟机时分配的加密密钥加密认证信息,得到已加密认证信息,以提高连接认证的安全性,最后将所述连接参数和已加密认证信息发送至桌面云客户端。所述连接请求模块203向桌面云服务器发起用来验证所述已加密认证信息的连接请求,具体地,所述连接请求模块203将携带有所述已加密认证信息的连接请求发送至桌面云服务器,所述桌面云服务器利用在创建所述虚拟机时分配的解密密钥,对所述已加密认证信息进行解密,得到认证信息,并将解密得到的认证信息与预存的所述用户名对应的认证信息进行比对,并在匹配时,生成对所述已加密认证信息验证通过的验证结果。在通过验证后,所述虚拟机登陆模块204利用已授权的已加密认证信息和所述连接参数,登录所选取的虚拟机,具体地,所述虚拟机登陆模块204利用所述已授权的已加密认证信息,获取与其绑定的虚拟机自动登陆信息,并利用所述虚拟机自动登陆信息和所述连接参数,自动登录所选取的虚拟机,避免手动登陆。当利用所登陆的虚拟机访问桌面云应用业务时,所述业务访问模块205通过所述桌面云管理系统,获取所述用户访问的桌面云应用业务的 用户权限,并根据所获取的用户权限,直接使用所述桌面云应用业务,实现免身份验证。
综上,本发明实施例的技术方案如下:
1)用户通过网页或客户端登录桌面云,用户信息被提交给桌面云管理系统。所述用户信息包含用户名和认证信息,所述认证信息可以是密码、USB KEY、动态口令,或者生物特征包括:指纹特征、面部特征、虹膜特征等,或者其他可以标识用户身份的特征信息。
2)桌面云管理系统根据用户选择的虚拟机,生成连接参数,对认证信息(例如,连接认证密码)进行加密;
3)桌面云客户端使用上述加密后的连接参数向远端桌面云服务器发起连接请求;
4)远端桌面云服务器对连接请求中的连接认证密码进行验证,若验证成功则授权同意该连接接入,若验证不成功则拒绝;
5)虚拟机中的代理利用授权后的连接认证信息可实现虚拟机操作系统自动登录;
6)用户在虚拟机中访问桌面云应用业务时,会查询对应用户的相应权限,以实现免身份验证使用某些桌面云应用业务。
在步骤5)和6)实施之前,需要对连接认证信息与虚拟机系统自动登录信息、桌面云应用业务的用户权限进行绑定操作。连接认证信息与虚拟机系统自动登录信息的绑定是在虚拟机创建的时候就已经完成了,连接认证信息与桌面云应用业务的用户权限绑定操作可以是在创建虚拟机时完成,也可以在虚拟机创建之后,由用户向桌面云管理系统申请。只有在绑定操作成功之后,才能实现相关功能的自动登录功能,如果没有绑定,则只能由用户手动输入身份认证信息。
图3是本发明实施例提供的桌面云客户端与服务端连接认证过程图,用户从网页或客户端登录;获取虚拟机列表,选择虚拟机登录;由桌面云管理系统生成连接参数,并对参数进行加密;参数下发到客户端,客户端发起连接请求;桌面云服务端收到连接请求后对连接认证信息进行验证;连接认证 信息验证通过后可实现自动登录虚拟机操作系统及免身份验证使用桌面云应用业务。利用本连接认证方法能够有效保证连接安全性的同时,实现了虚拟机操作系统自动登录,并且将连接认证信息与桌面云应用业务绑定之后,可以实现应用业务免身份验证,提高了桌面云环境下接入的安全性和便利性。如图3所示,包括以下步骤:
步骤S11:用户通过网页或客户端登陆界面输入用户名和认证信息,所述认证信息可以是密码,或是从USB KEY或指纹采集设备获取的身份信息,或是USB KEY、动态口令,或者生物特征包括:指纹特征、面部特征、虹膜特征等,或者其他可以标识用户身份的特征信息等;认证信息可以存储在专用的认证服务器,也可以直接存储在远端服务器上,客户端的连接请求发送到认证信息所在的地方进行认证操作。
步骤S12:步骤S11所述用户名和认证信息被提交给桌面云管理系统,桌面云管理系统根据用户名查询所属该用户的虚拟机列表。所述虚拟机列表是登录之前创建的属于此用户的一系列虚拟机。
步骤S13:用户选择虚拟机进行登陆,并将登录请求提交给桌面云管理系统。
步骤S14:桌面云管理系统根据所选虚拟机生成连接参数,并将连接认证密码进行加密,下发到客户端,客户端通过网络向远端桌面云服务器发送连接请求。桌面云管理系统面向用户提供简洁的登录界面,待用户选择了将要登录的虚拟机后,桌面云管理系统根据所述用户和其选择的虚拟机来生成相应的连接参数,包括IP地址、端口号、用户名以及相关的虚拟机配置信息,并生成加密后的连接认证密码,所述密码的算法可以根据安全等级选择不同安全级别和复杂度的加密算法。
步骤S15:桌面云服务器对客户端的连接请求中的密码字段进行验证,若验证通过则授权同意接入,若验证未通过则拒绝。所述密码需要用步骤S14所述的加密算法对应的解密算法进行解密。若连接认证信息使用的是指纹特征,则需要根据所述用户名查询其对应的指纹特征,得到与所述用户对应的正确的指纹特征,将所述密码字段的连接认证信息与所述正确的指纹特征进行对比。所述连接认证信息采用的是其他方式,处理方式与指纹方式类似, 此处不在赘述。
步骤S16:当连接进入虚拟机系统登录界面时,虚拟机中的代理会利用连接参数中的虚拟机系统自动登录信息实现自动登录,并且会将该用户信息记录到虚拟机系统中。在此之前,需要对连接认证信息与虚拟机系统自动登录信息进行绑定操作。连接认证信息与虚拟机系统自动登录信息的绑定是在虚拟机创建的时候就已经完成了,只有在绑定操作成功之后,才能实现虚拟机系统的自动登录功能,如果没有绑定,则只能由用户手动输入身份认证信息。所述虚拟机系统可以是windows、windows server、linux或其他桌面操作系统。
图4是本发明实施例提供的用户使用桌面云应用业务免身份验证过程图,如图4所示,包括以下步骤:
步骤S21:用户在登录到虚拟机桌面系统之后,通过桌面云访问应用业务。
步骤S22:应用程序向桌面云管理系统查询该用户的使用权限。
步骤S23:桌面云管理系统返回对应用户的使用权限,若所述用户拥有步骤S21所述的应用业务的使用权限,则无需再输入身份验证信息,即可登录应用业务使用相关服务;若所述用户不拥有步骤S21所述的应用业务的使用权限,则需要手动输入所述应用业务的身份验证信息,验证通过后方可使用相关服务。
在此之前,需要对连接认证信息与桌面云应用业务的用户权限进行绑定操作。连接认证信息与桌面云应用业务的用户权限绑定操作可以是在创建虚拟机时完成,也可以在虚拟机创建之后,由用户向桌面云管理系统申请。只有在绑定操作成功之后,才能实现相关应用业务的免身份验证功能,如果没有进行绑定,则只能由用户手动输入身份认证信息。。
综上所述,本发明实施例具有以下技术效果:
1、本发明实施例中,桌面云客户端用于连接远端服务器的认证信息(例如认证密码)是经过加密后传输,提高了连接认证的安全性,所使用的加密密钥是由创建虚拟机时分配的,并且存储在远端服务器中。
2、在进入虚拟机系统登陆界面的时候,虚拟机系统中有一个专门的服务代理负责实现操作系统的自动登录功能,避免了用户手动登录的繁琐。
3、通过远端服务器连接认证后的用户身份信息在登录操作系统后被记录起来,该身份信息跟那些需要验证身份信息的桌面云应用业务相关联,在桌面云管理系统中有一个管理用户身份信息的数据库,对应每个用户都有其相应的权限,当用户使用某些桌面云应用业务的时候,桌面云会首先到管理系统中查询该登录用户是否有此应用业务的使用权限,若有则可实现自动登陆应用业务。
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。
任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求所述的保护范围为准。。
工业实用性
本发明实施例公开的桌面云客户端和服务端之间连接认证的方法及装置,能 够以较低的成本提高桌面云系统接入的安全性,降低用户信息泄漏的风险,并提供一种安全的方式实现免身份验证访问一些桌面云的应用业务。

Claims (19)

  1. 一种桌面云客户端和服务端之间连接认证的方法,应用于桌面云客户端,包括:
    桌面云客户端通过登录桌面云管理系统,获取虚拟机列表;
    在所述虚拟机列表中选取一个待登录的虚拟机,并通过所述桌面云管理系统获取所述虚拟机的连接参数和已加密认证信息;
    向桌面云服务器发起用来验证所述已加密认证信息的连接请求;
    在通过验证后,利用已授权的已加密认证信息和所述连接参数,登录所选取的虚拟机。
  2. 根据权利要求1所述的方法,其中,所述的桌面云客户端通过登录桌面云管理系统,获取虚拟机列表的步骤包括:
    所述桌面云客户端将包含所述桌面云客户端的用户名和认证信息的用户信息发送至所述桌面云管理系统;
    接收所述桌面云管理系统发送的虚拟机列表;
    其中,所述虚拟机列表是所述桌面云管理系统利用所述桌面云客户端发送的所述用户名,查询相应的虚拟机列表得到的。
  3. 根据权利要求1所述的方法,其中,所述的在所述虚拟机列表中选取一个待登录的虚拟机,并通过桌面云管理系统获取所述虚拟机的连接参数和已加密认证信息的步骤包括:
    所述桌面云客户端获取用户在所述虚拟机列表中选取的待登录的虚拟机,并将包含所述虚拟机信息的登录请求发送至所述桌面云管理系统;
    接收所述桌面云管理系统发送的虚拟机连接参数和已加密认证信息;
    其中,所述虚拟机连接参数是由所述桌面云管理系统通过解析所述桌面云客户端发送的所述登录请求,得到其中的虚拟机信息后生成的;
    所述已加密认证信息是所述桌面云管理系统利用在创建所述虚拟机时分配的加密密钥,对认证信息进行加密后得到的。
  4. 根据权利要求1所述的方法,其中,所述的桌面云客户端向桌面云服 务器发起用来验证所述已加密认证信息的连接请求的步骤包括:
    所述桌面云客户端将携带有所述已加密认证信息的连接请求发送至所述桌面云服务器;
    接收所述桌面云服务器发送的验证结果;
    其中,所述验证结果是所述桌面云服务器通过以下方式得到的:
    所述桌面云服务器利用在创建所述虚拟机时分配的解密密钥,对所述桌面云客户端发送的所述已加密认证信息进行解密,得到认证信息;
    将解密得到的认证信息与预存的所述用户名对应的认证信息进行比对;若匹配,则对确认所述已加密认证信息的验证通过,得到所述验证结果。
  5. 根据权利要求1所述的方法,其中,所述的利用已加密认证信息和所述连接参数,登录所选取的虚拟机的步骤包括:
    利用所述已加密认证信息,获取与所述已加密认证信息绑定的虚拟机自动登陆信息,并利用所述虚拟机自动登陆信息和所述连接参数,自动登录所选取的虚拟机。
  6. 根据权利要求1-5任意一项所述的方法,在所述的登录所选取的虚拟机的步骤之后,还包括:
    当利用所登陆的虚拟机,访问桌面云应用业务时,通过所述桌面云管理系统,获取所述用户访问的桌面云应用业务的用户权限;
    根据所获取的用户权限,直接使用所述桌面云应用业务。
  7. 一种桌面云客户端和服务端之间连接认证的方法,应用于桌面云服务器,包括:
    接收桌面云客户端发起的用来验证已加密认证信息的连接请求,对所述已加密认证信息进行验证,验证通过后,向所述桌面云客户端发送验证通过信息;其中,
    所述已加密认证信息是所述桌面云客户端通过以下方式得到的:
    所述桌面云客户端通过登录桌面云管理系统,获取虚拟机列表;
    在所述虚拟机列表中选取一个待登录的虚拟机,并通过所述桌面云管理系统获取所述虚拟机的连接参数,得到加密的认证信息。
  8. 根据权利要求7所述的方法,其中对所述已加密认证信息进行验证,验证通过后,向所述桌面云客户端发送验证通过信息的步骤包括:
    所述桌面云服务器利用在创建所述虚拟机时分配的解密密钥,对所述桌面云客户端发送的所述已加密认证信息进行解密,得到认证信息;
    将解密得到的认证信息与预存的所述用户名对应的认证信息进行比对;若匹配,则对确认所述已加密认证信息的验证通过,向所述桌面云客户端发送验证通过信息。
  9. 根据权利要求7或8所述的方法,其中所述加密的认证信息是所述桌面云客户端将包含其用户名和认证信息的用户信息发送至所述桌面云管理系统,由所述桌面云管理系统利用在创建所述虚拟机时分配的加密密钥加密认证信息得到的。
  10. 一种桌面云客户端和服务端之间连接认证的装置,包括:
    虚拟机列表获取模块,设置为通过登录桌面云管理系统,获取虚拟机列表;
    参数获取模块,设置为在所述虚拟机列表中选取待登录的虚拟机,并通过桌面云管理系统获取所述虚拟机的连接参数和已加密认证信息;
    连接请求模块,设置为向桌面云服务器发起用来验证所述已加密认证信息的连接请求;
    虚拟机登陆模块,设置为在通过验证后,利用已加密认证信息和所述连接参数,登录所选取的虚拟机。
  11. 根据权利要求10所述的装置,其中,所述虚拟机列表获取模块是设置为将包含所述桌面云客户端的用户名和认证信息的用户信息发送至所述桌面云管理系统,并接收所述桌面云管理系统利用所述用户名查询到的相应的虚拟机列表。
  12. 根据权利要求10所述的装置,其中,所述参数获取模块是设置为获取用户在所述虚拟机列表中选取的待登录的虚拟机,将包含所述虚拟机信息的登录请求发送至所述桌面云管理系统,并接收所述桌面云管理系统生成的所述虚拟机的连接参数和已加密认证信息,其中,所述已加密认证信息是所述桌面云管理系统利用在创建所述虚拟机时分配的加密密钥加密认证信息而得到的。
  13. 根据权利要求10所述的装置,其中,所述连接请求模块是设置为将携带有所述已加密认证信息的连接请求发送至所述桌面云服务器,并接收桌面云服务器响应所述连接请求而生成的对所述已加密认证信息验证通过的验证结果;其中,所述验证结果是所述桌面云服务器利用在创建所述虚拟机时分配的解密密钥,对所述已加密认证信息进行解密,得到认证信息,并将解密得到的认证信息与预存的所述用户名对应的认证信息进行比对,并在匹配时生成的。
  14. 根据权利要求10所述的装置,其中,所述虚拟机登陆模块是设置为利用所述已加密认证信息,获取与所述已加密认证信息绑定的虚拟机自动登陆信息,并利用所述虚拟机自动登陆信息和所述连接参数,自动登录所选取的虚拟机。
  15. 根据权利要求10-14任意一项所述的装置,还包括:
    业务访问模块,设置为当利用所登陆的虚拟机访问桌面云应用业务时,通过所述桌面云管理系统,获取所述用户访问的桌面云应用业务的用户权限,并根据所获取的用户权限,直接使用所述桌面云应用业务。
  16. 一种计算机程序,包括程序指令,当该程序指令被桌面云客户端执行时,使得该桌面云客户端可执行权利要求1-6任一项的方法。
  17. 一种载有权利要求16所述计算机程序的载体。
  18. 一种计算机程序,包括程序指令,当该程序指令被桌面云服务器执行时,使得该桌面云服务器可执行权利要求7-9任一项的方法。
  19. 一种载有权利要求18所述计算机程序的载体。
PCT/CN2014/089095 2014-06-23 2014-10-21 一种桌面云客户端和服务端之间连接认证的方法及装置 WO2015196659A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410284390.XA CN105187362B (zh) 2014-06-23 2014-06-23 一种桌面云客户端和服务端之间连接认证的方法及装置
CN201410284390.X 2014-06-23

Publications (1)

Publication Number Publication Date
WO2015196659A1 true WO2015196659A1 (zh) 2015-12-30

Family

ID=54909208

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/089095 WO2015196659A1 (zh) 2014-06-23 2014-10-21 一种桌面云客户端和服务端之间连接认证的方法及装置

Country Status (2)

Country Link
CN (1) CN105187362B (zh)
WO (1) WO2015196659A1 (zh)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924264A (zh) * 2018-08-21 2018-11-30 合肥创旗信息科技有限公司 一种桌面云系统
CN110825537A (zh) * 2019-11-04 2020-02-21 联思智云(北京)科技有限公司 基于c/s架构的远程应用的调用方法、装置和设备
CN110933014A (zh) * 2018-09-19 2020-03-27 中兴通讯股份有限公司 云服务接入方法、设备以及计算机可读存储介质
CN111526150A (zh) * 2020-04-28 2020-08-11 吴飞 关于单集群或多集群云电脑远程运维端口零信任自动化规则放行平台及放行方法
US10868801B2 (en) 2016-06-14 2020-12-15 Banma Zhixing Network (Hongkong) Co., Limited Method and system for establishing connection
CN113761515A (zh) * 2021-08-20 2021-12-07 上海酷栈科技有限公司 一种云桌面安全检测方法、系统、计算设备和存储介质
CN114006716A (zh) * 2021-01-04 2022-02-01 北京八分量信息科技有限公司 一种区块链权限管理方法及系统
CN114866253A (zh) * 2022-04-27 2022-08-05 北京计算机技术及应用研究所 一种可靠的云主机登录系统及其实现的云主机登录方法
CN114884993A (zh) * 2022-05-07 2022-08-09 杭州天宽科技有限公司 增强数据安全性的虚拟化安卓系统
CN115065493A (zh) * 2022-04-06 2022-09-16 电子科技大学中山学院 一种基于Spice协议的自主安全VDI模型及其优化方法

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106973028A (zh) * 2016-01-13 2017-07-21 云南标源科技有限公司 一种Android云终端
CN105721441B (zh) * 2016-01-22 2020-06-02 华中科技大学 一种虚拟化环境下身份认证方法
CN107291432A (zh) * 2016-04-01 2017-10-24 中兴通讯股份有限公司 云桌面管控方法、装置和云桌面访问方法、装置
CN108282499B (zh) * 2017-01-03 2021-03-12 南京易安联网络技术有限公司 一种新型物联网工业云组网的方法
CN107026860B (zh) * 2017-04-01 2020-10-16 成都灵跃云创科技有限公司 登录认证方法、装置及系统
CN107566329A (zh) * 2017-05-11 2018-01-09 新华三云计算技术有限公司 一种访问控制方法及装置
CN107168655A (zh) * 2017-06-05 2017-09-15 广西犇云科技有限公司 一种云服务器保密系统
CN107357627A (zh) * 2017-06-05 2017-11-17 广西犇云科技有限公司 一种云服务器自动运行系统
CN107357628A (zh) * 2017-06-05 2017-11-17 广西犇云科技有限公司 一种云服务器虚拟化管理系统
CN107357626A (zh) * 2017-06-05 2017-11-17 广西犇云科技有限公司 一种云服务器虚拟化权限系统
CN107256185A (zh) * 2017-06-05 2017-10-17 广西犇云科技有限公司 一种云服务器磁盘修复系统
CN107609414A (zh) * 2017-09-26 2018-01-19 国云科技股份有限公司 一种桌面云自动防止数据泄漏的方法
CN108133127A (zh) * 2017-12-29 2018-06-08 佛山市幻云科技有限公司 设备控制方法、装置、服务器与系统
CN108090333A (zh) * 2017-12-29 2018-05-29 佛山市幻云科技有限公司 基于虚拟机的设备控制方法、装置、服务器与系统
CN108710528B (zh) * 2018-05-09 2023-02-28 深圳安布斯网络科技有限公司 桌面云虚拟机的访问、控制方法、装置、设备及存储介质
CN110958206A (zh) * 2018-09-26 2020-04-03 山东华软金盾软件股份有限公司 一种基于虚拟化的移动设备应用的数据保密方法
CN109639697A (zh) * 2018-12-24 2019-04-16 广州微算互联信息技术有限公司 云手机安全投屏的方法、移动终端和服务器
CN110430280B (zh) * 2019-08-15 2022-06-07 上海达龙信息科技有限公司 账号自动登录方法及系统、存储介质及云桌面服务器
CN110532752A (zh) * 2019-09-03 2019-12-03 山东超越数控电子股份有限公司 一种登录云桌面系统的方法、设备及可读介质
CN110659471A (zh) * 2019-09-23 2020-01-07 江苏恒宝智能系统技术有限公司 一种云环境中的身份认证登录方法
CN111163164B (zh) * 2019-12-27 2022-09-13 山东乾云启创信息科技股份有限公司 一种基于鲲鹏芯片的云桌面安全传输方法及装置
CN110889652A (zh) * 2019-12-27 2020-03-17 河南智业科技发展有限公司 一种基于桌面云的绩效管理方法及绩效管理系统
CN113595968B (zh) * 2020-04-30 2023-02-03 华为云计算技术有限公司 一种基于云应用实例的登录方法、系统及相关设备
CN114091002A (zh) * 2020-08-24 2022-02-25 中兴通讯股份有限公司 云桌面访问认证方法、电子设备和计算机可读存储介质
CN112135052B (zh) * 2020-09-24 2022-06-14 张晏铭 基于桌面云的摄影系统和方法
CN113709113A (zh) * 2021-08-03 2021-11-26 中国大唐集团科学技术研究总院有限公司 一种基于三端分离设计的云桌面的安全可信认证方法
CN113918251B (zh) * 2021-09-18 2022-10-28 中标慧安信息技术股份有限公司 一种设备隔离的用户访问控制方法和装置
CN114710355B (zh) * 2022-04-11 2024-05-17 西安万像电子科技有限公司 登录管理方法及系统
CN114722384B (zh) * 2022-06-02 2022-08-19 南京中成越科技有限公司 端对端远程通讯的风险数据传输处理方法、系统
CN115118736A (zh) * 2022-06-27 2022-09-27 西安万像电子科技有限公司 一种权限管理方法及系统
CN115174106B (zh) * 2022-06-30 2024-09-03 中国联合网络通信集团有限公司 云服务认证方法、装置、设备及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110214176A1 (en) * 2010-02-27 2011-09-01 Lloyd Leon Burch Techniques for secure access management in virtual environments
CN103067397A (zh) * 2012-12-31 2013-04-24 华为技术有限公司 一种桌面云系统的安全认证方法、接入网关及认证服务器
CN103118030A (zh) * 2013-02-22 2013-05-22 浪潮电子信息产业股份有限公司 一种基于桌面云的身份认证方法
CN103532966A (zh) * 2013-10-23 2014-01-22 成都卫士通信息产业股份有限公司 一种支持基于usb key单点登录虚拟桌面的装置及方法

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143149A (zh) * 2010-12-10 2011-08-03 华为技术有限公司 云终端访问云的方法、系统及云接入管理设备
CN103546420B (zh) * 2012-07-09 2016-08-03 杭州华三通信技术有限公司 Get vpn中gm向ks注册的方法及gm和ks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110214176A1 (en) * 2010-02-27 2011-09-01 Lloyd Leon Burch Techniques for secure access management in virtual environments
CN103067397A (zh) * 2012-12-31 2013-04-24 华为技术有限公司 一种桌面云系统的安全认证方法、接入网关及认证服务器
CN103118030A (zh) * 2013-02-22 2013-05-22 浪潮电子信息产业股份有限公司 一种基于桌面云的身份认证方法
CN103532966A (zh) * 2013-10-23 2014-01-22 成都卫士通信息产业股份有限公司 一种支持基于usb key单点登录虚拟桌面的装置及方法

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10868801B2 (en) 2016-06-14 2020-12-15 Banma Zhixing Network (Hongkong) Co., Limited Method and system for establishing connection
CN108924264A (zh) * 2018-08-21 2018-11-30 合肥创旗信息科技有限公司 一种桌面云系统
CN110933014A (zh) * 2018-09-19 2020-03-27 中兴通讯股份有限公司 云服务接入方法、设备以及计算机可读存储介质
CN110933014B (zh) * 2018-09-19 2023-01-10 中兴通讯股份有限公司 云服务接入方法、设备以及计算机可读存储介质
CN110825537A (zh) * 2019-11-04 2020-02-21 联思智云(北京)科技有限公司 基于c/s架构的远程应用的调用方法、装置和设备
CN111526150A (zh) * 2020-04-28 2020-08-11 吴飞 关于单集群或多集群云电脑远程运维端口零信任自动化规则放行平台及放行方法
CN114006716A (zh) * 2021-01-04 2022-02-01 北京八分量信息科技有限公司 一种区块链权限管理方法及系统
CN113761515A (zh) * 2021-08-20 2021-12-07 上海酷栈科技有限公司 一种云桌面安全检测方法、系统、计算设备和存储介质
CN115065493A (zh) * 2022-04-06 2022-09-16 电子科技大学中山学院 一种基于Spice协议的自主安全VDI模型及其优化方法
CN114866253A (zh) * 2022-04-27 2022-08-05 北京计算机技术及应用研究所 一种可靠的云主机登录系统及其实现的云主机登录方法
CN114866253B (zh) * 2022-04-27 2024-05-28 北京计算机技术及应用研究所 一种可靠的云主机登录系统及其实现的云主机登录方法
CN114884993A (zh) * 2022-05-07 2022-08-09 杭州天宽科技有限公司 增强数据安全性的虚拟化安卓系统
CN114884993B (zh) * 2022-05-07 2023-12-22 杭州天宽科技有限公司 增强数据安全性的虚拟化安卓系统

Also Published As

Publication number Publication date
CN105187362A (zh) 2015-12-23
CN105187362B (zh) 2020-01-10

Similar Documents

Publication Publication Date Title
WO2015196659A1 (zh) 一种桌面云客户端和服务端之间连接认证的方法及装置
JP6526181B2 (ja) スマートカードによるログオンおよび連携されたフルドメインログオン
US10560476B2 (en) Secure data storage system
US10097544B2 (en) Protection and verification of user authentication credentials against server compromise
US9461820B1 (en) Method and apparatus for providing a conditional single sign on
JP6335280B2 (ja) 企業システムにおけるユーザおよびデバイスの認証
US9992029B1 (en) Systems and methods for providing authentication to a plurality of devices
US8838961B2 (en) Security credential deployment in cloud environment
JP6431037B2 (ja) ネットワーク接続時に安全なアプリケーションを識別するためのシステム及び方法
JP5570610B2 (ja) 遠隔ユーザ・セッションのためのシングル・サインオン
CN105103119B (zh) 数据安全服务系统
US8997196B2 (en) Flexible end-point compliance and strong authentication for distributed hybrid enterprises
CN113316783A (zh) 使用活动目录和一次性口令令牌组合的双因素身份认证
US8863255B2 (en) Security credential deployment in cloud environment
WO2018219056A1 (zh) 鉴权方法、装置、系统和存储介质
US9544137B1 (en) Encrypted boot volume access in resource-on-demand environments
JP2016524742A (ja) プロキシを使用したリソースへの安全なアクセス
US9787668B1 (en) Sensitive user information management system and method
US11625476B2 (en) Remote processing of credential requests
US20160330195A1 (en) System and method for securing offline usage of a certificate by otp system
WO2022144024A1 (en) Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization
US20090327704A1 (en) Strong authentication to a network
US9509503B1 (en) Encrypted boot volume access in resource-on-demand environments
US11032708B2 (en) Securing public WLAN hotspot network access
Tank et al. Security analysis of OpenStack keystone

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14896066

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14896066

Country of ref document: EP

Kind code of ref document: A1